Is this a hack attempt?

[MulLa]

Hi all,

These are from my Linksys RV082 logs.

RGFW-IN: BLOCK-RULES (UDP 192.168.153.140:34819->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.122:36354->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.239:65027->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.172:46083->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.9:11522->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.112:3587->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.36:4099->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.227:55808->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.36:2->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.140:46848->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.144:58114->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.44:8451->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.192:49922->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.133:52227->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.138:8194->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.44:1538->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.61:29697->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.16:25859->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:58 2004
RGFW-IN: BLOCK-RULES (UDP 192.168.153.132:1795->12.47.129.151:21 on ixp0) Mon Jun 28 11:01:57 2004

They're continuing for 5 minutes all going to that 12.47.129.151 address. I don't even have those IPs as internal IPs! Just checked my DHCP list and those IPs are definately not there!

I know they're FTP ports but why are they trying to go from my internal LAN to this IP?


Thanks in advance for any help!!

 

[SpunkyJones]

Might be a hack, when I do a nslookup on that ip, check out the domain name that it resolves to. It would make me nervous.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>nslookup 12.47.129.151
Server: boston1-qwest.bellatlantic.net
Address: 151.203.0.84

Name: ur2.st00pid.com
Address: 12.47.129.151

 

[MulLa]

That nslookup certainly looked a bit dodgy.

The problem is I don't even have those IP's in my internal LAN. I can't even run a virus scan on offending machines that's trying to send out those packets. I might have to do a scan on the entire network to make sure there's no trojans in the network.

Does anyone know what type of exploit would try to go through the FTP ports? We do have an ftp server setup to our warehouse.

 

[Nothinman]

FTP uses TCP, not UDP.

 

[MulLa]

How did I manage to overlook that!!!

Hm... but would you have any idea what those log entries would mean??

 

[subflava]

I'd run a packet sniffer on all your machines to see if you can figure out where those packets are coming from. They must be coming from something on your network. If those IP's are not what you use on your network, then source IP is probably being spoofed.

 

[spidey07]

that's unusual - the source IP address is 192.168.x.x

is the source on the internal or external network?

an address can be spoofed but internet routers drop anything from 192.168.x.x unless the provider is just stupid.

 

[Boscoh]

Looks like a trojan or worm/bot. More than likely it's spoofing the source address. THey like to do that. Get you a packet sniffer and look at the source MAC address, it might not be spoofed, that will tell you what machine it's coming from. If it's a small network, you can just unplug hosts from the switch until the traffic stops. The last host you unplugged is likely the infected computer. If you have centralized antivirus, just push out a "Scan Now" command to all the PC's.

Your router is probably blocking it because either the subnet or network number is different from the interface's address that the traffic is trying to pass through.

This would be my guess.

 

[MulLa]

Thank you everyone for the advice.

subflava: That means going around to everyone and loading the sniffer. I think I'll leave that to a last resort. That's the correct subnet on my network but no host is currently using those address I checked the DHCP lease and tried pinging those hosts.

spidey07: 192.168.x.x is the subnet used for my internal network. Those logs are picked up by the router that we're using. So meaning it's before the internal address is being translated to an external IP?

Boscoh: That might be a good idea. I've pushed out a scan for ther 2 servers last night and found nothing. I might try it again today for all client machines.

The funny thing is, that log only went on for 5 minutes or so yesterday and haven't appeared since then? During that time we can't access the internet and can't ping any external hosts. That's when I went to check the logs.

Will go and do that full scan now.

 

[Boscoh]

Worm's can spoof IP's within your subnet range too. If it is a worm, it could be spawning so many external connections that it's overloading your connection, which would explain why you cannot get to the Internet during those times.

 

[MulLa]

A full network scan only turned up a few 'spybot' worms, don't exactly remember the name as it's written down at work. A quick search on Symantec told me that apparently it spreads on Kazza?? I wonder why SAV wasn't able to block that. Anyway I have removed the offending files and offending personell got a warning. Unfortunately, we don't have an acceptable use policy. I think I ought to have a word with the CEO in regards to this.

The funny thing is, that it only happened for 5 mins on that day. That's why I thought it was a hack attempt instead of a worm as I'd imagine a worm would repeat its action for a longer period of time.

Oh well, will wait and see what happens now. The logs all turn out fine so far and I'll post the name of that worm when I get back to work tomorrow for those interested.

 

[Boscoh]

You ought to check sometime and see if those users have Kazaa running when you cannot access the internet.